While there are definite benefits to having a zero trust network, it’s also convenient to outsource all the certificate management.
First you need to create a cert with ACM, either by importing it, or letting them do it (managed renewal ftw!):
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Ref 'DomainName'
ValidationMethod: DNS
That in hand, you can create the LB, Listener & Target Group:
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: foo
Subnets:
- !Ref PublicSubnet1
- ...
SecurityGroups:
- !Ref SecurityGroup
LoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref LoadBalancer
Port: 443
Protocol: HTTPS
DefaultActions:
- Type: forward
TargetGroupArn: !Ref DefaultTargetGroup
SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
Certificates:
- CertificateArn: !Ref Certificate
DefaultTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: foo
VpcId: !Ref Vpc
Port: 80
Protocol: HTTP
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref Vpc
GroupDescription: Enable HTTPS access for LB
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: '0.0.0.0/0'
Make sure you use a public subnet, or you won’t be able to reach the LB!